[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fully transparent ftp-proxy?
Interesting idea ;)
As I also pointed out, the security could be increased by linking
embrionic states with the filter rules. Like adding an "embrionic" keyword
or something similar, so that an embrionic state will only try to match if
it matches a permissive filter rule.
That way, the proxies still need to have some form of permission given by
To implement that however, for it to be effective, you would need to be
able to give proxies access to some pf ioctl functions (like adding
embrionic states), but not others (like adding rules). I'm guessing this
could be accomplished with systrace, but I think some other check in
pf_ioctl would be more secure.
On Wed, 30 Oct 2002, Daniel Hartmeier wrote:
> On Wed, Oct 30, 2002 at 08:41:12PM +0000, Roy Badami wrote:
> > It seems to me that whilst it might require a minimal amount of kernel
> > machinery to permit setup of the outgoing connection from the proxy,
> > once established it is identical in nature to the incoming
> > connection...
> This could be solved with 'embryonic states', a separate list/tree of
> state entries that lack certain parts (like source ports, which are
> usually random and not known in advance). After the normal state lookup
> (if it fails), but before the rule set evaluation, a matching embryonic
> state would be completed and turn into a normal state.
> Proxies could insert embryonic states instead of listening for incoming
> connections, establishing connections and forwarding data between them.
> Also, embryonic states could include all sorts of address/port
> translations, so even connections established by the proxy (for instance
> the ftp control connection) could appear to originate from the real
> client address through a source address translation.
> There are many ways proxies could use this feature, potentially making
> the proxy code much shorter. But there are also security implications,
> as a state entry bypasses all filter rules. But it's definitely something
> I want to try. There are several problems to solve, like supporting
> different kinds of incomplete states while keeping lookups efficient. If
> they're solved, and the concept works and is safe, I guess ftp-proxy
> could (optionally, if necessary) use that to become fully transparent.